ICO fines Uber £385,000 following its 2016 data breach

The penalty follows an investigation by the watchdog into Uber’s 2016 data breach

The Information Commissioner's office (ICO) has fined mobile taxi-hailing juggernaut Uber 385,000 for failing to protect customer data in its devastating data breach scandal back in 2016.

The incident was a "serious breach of principle seven of the Data Protection Act 1998", said the ICO, and had the potential to expose the affected customers and drivers to increased risk of fraud being carried out against them.

The fine follows another one issued to the company recently in September. After agreeing to terms with all 50 American states and the District of Columbia, Uber agreed to pay $148 million for failing to notify its drivers that their details had been stolen.

The October 2016 data breach in question affected 57 million of the company's drivers. Names, email addresses and phone numbers of over 50 million drivers were stolen and around 7 million drivers were affected, with hackers accessing around 600,000 US driver's license numbers.

Advertisement
Advertisement - Article continues below

In the UK, more than 2.7 million of its British customers and drivers were affected too. Again, names, email addresses and phone numbers were all stolen in the hack and according to an ICO investigation, records of almost 82,000 drivers based in the UK had details of journeys made and how much they were paid stolen.

"This was not only a serious failure of data security on Uber's part, but a complete disregard for the customers and drivers whose personal information was stolen," said Steve Eckersley, ICO Director of Investigations. "At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable."

The data was stolen as a result of "a series of avoidable security flaws" in Uber's cloud-based storage system operated by Uber's US parent company. The ICO investigation also found how Uber's data storage was breached. A process called 'credential stuffing' was used which involves taking compromised username and password pairs and plugging them into websites until user account details were found, which were then used to gain access to the cloud-based storage system.

"We're pleased to close this chapter on the data incident from 2016. As we shared with European authorities during their investigations, we've made a number of technical improvements to the security of our systems both in the immediate wake of the incident as well as in the years since," said an Uber spokesperson. "We learn from our mistakes and continue our commitment to earn the trust of our users every day."

Following the data breach, it was reported that Uber paid the hackers $100,000 ($78,000) for their silence so it could silently cover up the incident behind closed doors.

"Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack," said Eckersley. "Although there was no legal duty to report data breaches under the old legislation, Uber's poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected."

Reports also claim Uber's former CEO Travis Kalanick knew about the breach for over a year. He was forced out of the company in June 2017 amid allegations of sexism and poor working practices.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/strategy/27302/driverless-cars-news/page/0/4
Business strategy

Uber car involved in fatal crash had software flaws

6 Nov 2019
Visit/strategy/27302/driverless-cars-news
Business strategy

Uber car involved in fatal crash had software flaws

6 Nov 2019
Visit/strategy/27302/driverless-cars-news/page/0/3
Business strategy

Uber car involved in fatal crash had software flaws

6 Nov 2019
Visit/strategy/27302/driverless-cars-news/page/0/1
Business strategy

Uber car involved in fatal crash had software flaws

6 Nov 2019

Most Popular

Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/business/business-strategy/354252/huawei-takes-the-us-trade-sanctions-into-its-own-hands
Business strategy

Huawei takes the US trade sanctions into its own hands

3 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/mobile/mobile-phones/354273/pablo-escobars-brother-launches-budget-foldable-phone
Mobile Phones

Pablo Escobar's brother launches budget foldable phone

4 Dec 2019